Registration form allows probing emails


Well-known member
Affected version
  1. At least one custom field is required to be filled out during registration
Steps to reproduce
  1. Open the registration form
  2. Using browser developer tools, remove attribute required from the required custom field
  3. Enter a random gibberish username
  4. Enter the email address to check
  5. Fully complete the registration form and submit it
  6. Examine the results
An error message stating that the required custom field is missing.
If the email address is already in use there is also an error stating this.
This allows large amounts of emails to be checked for already having an account by repeating those steps.

Suggested Mitigation

CAPTCHA already helps (a bit) with this, but further mitigation seems to make sense
  1. Limit the amount of registration attempts a single IP address can make within a certain time (like login strikes)
  2. If there are multiple errors and the email address is already in use don't show this error but only the other errros
    This slightly decreases usability but would IMHO be acceptable to harden the registration process
  3. Optionally fully ban an IP address if it exceeds X "email already in use" errors
Top Bottom